remove nixos-vps

2023-11-22 06:00:24 +03:00 · 2023-11-22 06:00:24 +03:00 · 6e0080fc57
commit 6e0080fc57
parent 2f165b1d89
14 changed files with 0 additions and 988 deletions
--- a/flake.nix
+++ b/flake.nix
@ -139,15 +139,6 @@
        specialArgs = { inherit inputs; };
      };
    in (genAttrs hostnames mkHost) // {
-      NixOS-VPS = {
-        system = builtins.readFile (./machines/NixOS-VPS/system);
-        modules = [
-          (import (./machines/NixOS-VPS))
-          { device = "NixOS-VPS"; mainuser = "ataraxia"; }
-        ];
-        specialArgs = { inherit inputs; };
-        channelName = "stable";
-      };
    };

    nixosHostsCI = builtins.listToAttrs (map (name: {
@ -243,7 +234,6 @@
        };
      };
    in builtins.mapAttrs mkDeploy {
-      NixOS-VPS = { hostname = "193.219.97.142"; };
      Home-Hypervisor = { hostname = "192.168.0.10"; };
      Dell-Laptop = { hostname = "192.168.0.101"; };
    };
--- a/machines/NixOS-VPS/default.nix
+++ b/machines/NixOS-VPS/default.nix
@ -1,172 +0,0 @@
-{ modulesPath, inputs, lib, pkgs, config, ... }: {
-  imports = with inputs.self; [
-    (modulesPath + "/profiles/qemu-guest.nix")
-    (modulesPath + "/profiles/minimal.nix")
-    inputs.disko.nixosModules.disko
-
-    ./hardware
-    ./network.nix
-    ./nix.nix
-    ./services/backups.nix
-    ./services/dns.nix
-    ./services/tailscale.nix
-    ./services/tor-bridge.nix
-    ./services/wireguard.nix
-    ./services/xtls.nix
-
-    customModules.devices
-    customModules.users
-
-    customProfiles.hardened
-    customProfiles.overlay
-  ];
-
-  # disko.devices = import ./disko.nix { inherit lib; };
-
-  # Misc
-  boot = {
-    supportedFilesystems = [ "vfat" "btrfs" ];
-    kernelModules = [ "tcp_bbr" "veth" "x_tables" ];
-    kernelParams = [
-      "scsi_mod.use_blk_mq=1"
-      "kvm.ignore_msrs=1"
-      "kvm.report_ignored_msrs=0"
-    ];
-    kernel.sysctl = {
-      "vm.swappiness" = 50;
-      "vm.vfs_cache_pressure" = 200;
-      "vm.dirty_background_ratio" = 1;
-      "vm.dirty_ratio" = 40;
-      "vm.page-cluster" = 0;
-      "net.ipv4.tcp_congestion_control" = "bbr";
-      "net.ipv4.tcp_slow_start_after_idle" = 0;
-      "net.core.default_qdisc" = "cake";
-      # "net.core.default_qdisc" = "fq";
-    };
-    loader.grub = {
-      devices = [ "/dev/sda" ];
-      efiSupport = true;
-      efiInstallAsRemovable = true;
-    };
-  };
-  zramSwap = {
-    enable = true;
-    algorithm = "zstd";
-    memoryPercent = 100;
-  };
-
-  deviceSpecific.isServer = true;
-  services.journald.extraConfig = "Compress=false";
-  nix.optimise.automatic = false;
-  nix.distributedBuilds = lib.mkForce false;
-  hardware.enableRedistributableFirmware = true;
-  environment.noXlibs = lib.mkForce false;
-  fonts.enableDefaultFonts = lib.mkForce false;
-  # fonts.fonts = [ (pkgs.nerdfonts.override { fonts = [ "FiraCode" "VictorMono" ]; }) ];
-  security.polkit.enable = true;
-  # security.pam.enableSSHAgentAuth = true;
-  environment.systemPackages = with pkgs; [
-    bat
-    bottom
-    comma
-    git
-    kitty
-    micro
-    nix-index-update
-    pwgen
-  ];
-
-  # Locale
-  i18n.defaultLocale = "en_GB.UTF-8";
-  i18n.extraLocaleSettings = {
-    LANGUAGE = "en_GB.UTF-8";
-    LC_ALL = "en_GB.UTF-8";
-    LC_TIME = "en_GB.UTF-8";
-    LC_ADDRESS = "ru_RU.UTF-8";
-    LC_MONETARY = "ru_RU.UTF-8";
-    LC_PAPER = "ru_RU.UTF-8";
-  };
-  environment.sessionVariables = {
-    XKB_DEFAULT_LAYOUT = "us,ru";
-    XKB_DEFAULT_OPTIONS = "grp:win_space_toggle";
-    LANGUAGE = "en_GB.UTF-8";
-    LC_ALL = "en_GB.UTF-8";
-  };
-
-  # Hardened
-  networking.firewall = {
-    enable = true;
-    allowPing = false;
-    allowedTCPPorts = lib.mkDefault [ ];
-    allowedUDPPorts = lib.mkDefault [ ];
-  };
-  systemd.coredump.enable = false;
-  programs.firejail.enable = true;
-
-  # Users
-  services.openssh = {
-    enable = true;
-    settings.PasswordAuthentication = false;
-    settings.PermitRootLogin = lib.mkForce "prohibit-password";
-    settings.X11Forwarding = false;
-    extraConfig = "StreamLocalBindUnlink yes";
-    ports = [ 22 ];
-  };
-  users.mutableUsers = false;
-  users.users = {
-    ${config.mainuser} = {
-      isNormalUser = true;
-      extraGroups = [ "disk" "systemd-journal" "wheel" ];
-      uid = 1000;
-      hashedPassword =
-        "$y$j9T$ZC44T3XYOPapB26cyPsA4.$8wlYEbwXFszC9nrg0vafqBZFLMPabXdhnzlT3DhUit6";
-      shell = pkgs.bash;
-      openssh.authorizedKeys.keys = [
-        "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQC+xd8ClJPvJuAdYC9HlNnjiubEtYfvnKjYr9ROV+UmPVvI3ZITF24OaMI+fxgR0EqGfcUzSGom8528IB53Q3aFMIAaA0vKjW+jrByyB2l/k/+ttpLbH75c9WyOpAcUDTen8BhHKPyXOHoJ1jLu7GFmtPZ+mZo8thFB/VIRrwECHd8DnF0drsSCorkRp1bZC7bAHgztaYHNBUoAVGgJ7nLwW7DotlgbUEDiPJHXOxd/c/ZlXIB/cfUUqF+L5ThbMPhMcwRMspLy+nQdmHhih9k6SkvYqJoNqHT5/XeShb0RkIzvUWT2CYTPop5kAY5mMnatVTOY1FZPhHzk3G8MhOQ3r/elM/ecZxmjL8uozMN9kRGf1IL4DgQZfVqQRILdNSQGb0tfeiyirNZe1RlDw9UvMnZJOw0EkiC9lSSRhBWXXxAmxRrbNFTPQSp+/kiIGDmp2AsGhD11CfTDEU3wcLEUPBUqp1FYSzHncJyEKGy2Dpa5xaUJ0cuyGL4W3WHDXa4sTfY+AIXbQTD88Ujdsbfzyd6lrikG4D/crCurXissrh7q9DuYKWRI24cp5bw9lG33U1EXisnZqFyZNwMAmSj2QEGsHCwSevn0FgyRa2WYXgpZ9hfgY4le+ZSMo2JTosQ6DjGyxMDyQAHJ/ismTTzL67Q2p6U+73toYm62Qqdspw== (none)"
-        "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDP0/DReYSAfkucroMTdELzTORsGhhbEa+W0FDFBnwViHuoqoKvetCOkW657icexc5v/j6Ghy3+Li9twbHnEDzUJVtNtauhGMjOcUYt6pTbeJ09CGSAh+orxzeY4vXp7ANb91xW8yRn/EE4ALxqbLsc/D7TUMl11fmf0UW+kLgU5TcUYVSLMjQqBpD1Lo7lXLrImloDxe5fwoBDT09E59r9tq6+/3aHz8mpKRLsIQIV0Av00BRJ+/OVmZuBd9WS35rfkpUYmpEVInSJy3G4O6kCvY/zc9Bnh67l4kALZZ0+6W23kBGrzaRfaOtCEcscwfIu+6GXiHOL33rrMNNinF0T2942jGc18feL6P/LZCzqz8bGdFNxT43jAGPeDDcrJEWAJZFO3vVTP65dTRTHQG2KlQMzS7tcif6YUlY2JLJIb61ZfLoShH/ini/tqsGT0Be1f3ndOFt48h4XMW1oIF+EXaHYeO2UJ6855m8Wpxs4bP/jX6vMV38IvvnHy4tWD50= alukard@AMD-Workstation"
-      ];
-    };
-    deploy = {
-      description = "The administrator account for the servers.";
-      isNormalUser = true;
-      extraGroups = [ "wheel" ];
-      openssh.authorizedKeys.keys =
-        config.users.users.${config.mainuser}.openssh.authorizedKeys.keys;
-    };
-    root.openssh.authorizedKeys.keys =
-      config.users.users.${config.mainuser}.openssh.authorizedKeys.keys;
-  };
-  # Passwordless sudo for deploy user
-  security.sudo.extraRules = [{
-    users = [ "deploy" ];
-    commands = [{
-      command = "ALL";
-      options = [ "NOPASSWD" ];
-    }];
-  }];
-
-  # Podman
-  virtualisation = {
-    oci-containers.backend = lib.mkForce "podman";
-    podman.enable = true;
-    podman.dockerSocket.enable = true;
-    containers.registries.search = [
-      "docker.io" "gcr.io" "quay.io"
-    ];
-    containers.storage.settings = {
-      storage = {
-        driver = "overlay";
-        graphroot = "/var/lib/podman/storage";
-        runroot = "/run/containers/storage";
-      };
-    };
-  };
-  security.unprivilegedUsernsClone = true;
-
-  # Directory for some state files (like wireguard keys)
-  systemd.tmpfiles.rules = [
-    "d /srv 0755 root root -"
-  ];
-
-  system.stateVersion = "23.05";
-}
--- a/machines/NixOS-VPS/disko.nix
+++ b/machines/NixOS-VPS/disko.nix
@ -1,74 +0,0 @@
-{ lib, disks ? [ "/dev/sda" ], ... }: {
-  disk = lib.genAttrs disks (dev: {
-    device = dev;
-    type = "disk";
-    content = {
-      type = "table";
-      format = "gpt";
-      partitions = [
-        {
-          name = "boot";
-          start = "0";
-          end = "1M";
-          part-type = "primary";
-          flags = [ "bios_grub" ];
-        }
-        {
-          name = "ESP";
-          start = "1MiB";
-          end = "100MiB";
-          bootable = true;
-          content = {
-            type = "filesystem";
-            format = "vfat";
-            mountpoint = "/boot";
-          };
-        }
-        {
-          name = "root";
-          start = "100MiB";
-          end = "-2G";
-          part-type = "primary";
-          bootable = true;
-          # content = {
-          #   type = "filesystem";
-          #   format = "bcachefs";
-          #   extraArgs = [
-          #     "--block_size=8192"
-          #     "--compression=zstd"
-          #     "--discard"
-          #     "--acl"
-          #   ];
-          #   mountpoint = "/";
-          # };
-          content = {
-            type = "btrfs";
-            extraArgs = [ "-f" ];
-            subvolumes = {
-              "/rootfs" = {
-                mountpoint = "/";
-                mountOptions = [ "compress=zstd" "noatime" "autodefrag" "ssd" ];
-              };
-              "/home" = {
-                mountOptions = [ "compress=zstd" "noatime" "autodefrag" "ssd" ];
-              };
-              "/nix" = {
-                mountOptions = [ "compress=zstd" "noatime" "autodefrag" "ssd" ];
-              };
-            };
-          };
-        }
-        {
-          name = "swap";
-          start = "-2G";
-          end = "100%";
-          part-type = "primary";
-          content = {
-            type = "swap";
-            randomEncryption = true;
-          };
-        }
-      ];
-    };
-  });
-}
--- a/machines/NixOS-VPS/hardware/default.nix
+++ b/machines/NixOS-VPS/hardware/default.nix
@ -1,41 +0,0 @@
-{ config, lib, pkgs, modulesPath, ... }: {
-  imports = [ (modulesPath + "/profiles/qemu-guest.nix") ];
-
-  boot.initrd.availableKernelModules =
-    [ "ata_piix" "uhci_hcd" "virtio_pci" "virtio_scsi" "sd_mod" "sr_mod" ];
-  boot.initrd.kernelModules = [ ];
-  boot.kernelModules = [ "kvm-amd" ];
-  boot.extraModulePackages = [ ];
-
-  fileSystems."/" = {
-    device = "/dev/disk/by-partuuid/34c39dc8-07e8-4dd0-9c74-462d43c874d0";
-    fsType = "btrfs";
-    options = [ "subvol=rootfs" "compress=zstd" "noatime" "autodefrag" "ssd" ];
-  };
-
-  fileSystems."/nix" = {
-    device = "/dev/disk/by-partuuid/34c39dc8-07e8-4dd0-9c74-462d43c874d0";
-    fsType = "btrfs";
-    options = [ "subvol=nix" "compress=zstd" "noatime" "autodefrag" "ssd" ];
-  };
-
-  fileSystems."/boot" = {
-    device = "/dev/disk/by-partuuid/a9bc6629-2e9b-46e8-b482-aea8651d1949";
-    fsType = "vfat";
-  };
-
-  fileSystems."/home" = {
-    device = "/dev/disk/by-partuuid/34c39dc8-07e8-4dd0-9c74-462d43c874d0";
-    fsType = "btrfs";
-    options = [ "subvol=home" "compress=zstd" "noatime" "autodefrag" "ssd" ];
-  };
-
-  swapDevices = [{
-    device = "/dev/disk/by-partuuid/a460e7c7-3005-4516-9a8e-f751082b8bb6";
-    randomEncryption.enable = true;
-    randomEncryption.allowDiscards = true;
-    priority = 0;
-  }];
-
-  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
-}
--- a/machines/NixOS-VPS/hardware/networks.nix
+++ b/machines/NixOS-VPS/hardware/networks.nix
@ -1,95 +0,0 @@
-rec {
-  privateIPv6Prefix = "fd3a:900e:8e74:ffff";
-  domain = "wg.ataraxiadev.com";
-
-  interfaces = {
-      # This is the public-facing interface. Any interface name with a prime
-      # symbol means it's a public-facing interface.
-      main' = {
-        bridgeName = "br0";
-        ifname = "enp0s18";
-        IPv4 = {
-          address = "193.219.97.142/26";
-          gateway = "193.219.97.129";
-          dns = [ "46.102.157.27" "46.102.157.42" ];
-        };
-        IPv6 = {
-          address = "2a0d:f302:128:3792::1/48";
-          gateway = "2a0d:f302:127::1";
-          dns = [ "2a0d:f302:99::99" "2a0d:f302:100::100" ];
-        };
-      };
-
-      wireguard0 = {
-        ifname = "wg0";
-        dns = [ "${privateIPv6Prefix}::0:53" ];
-        IPv4 = {
-          address = "10.100.0.1";
-          subnet = "10.100.0.0/16";
-        };
-        IPv6 = {
-          address = "${privateIPv6Prefix}::1";
-          subnet = "${privateIPv6Prefix}::0/64";
-        };
-      };
-    };
-
-  # Wireguard-related things.
-  wireguardPort = 40820;
-  wireguardIPv4Prefix = "10.100.0";
-  wireguardIPv6Prefix = "${privateIPv6Prefix}::0";
-  wireguardPeers = {
-    server = with interfaces.wireguard0; {
-      IPv4 = IPv4.address;
-      IPv6 = IPv6.address;
-    };
-    ataraxia = {
-      IPv4 = "${wireguardIPv4Prefix}.2";
-      IPv6 = "${wireguardIPv6Prefix}:2";
-    };
-    hypervisor = {
-      IPv4 = "${wireguardIPv4Prefix}.3";
-      IPv6 = "${wireguardIPv6Prefix}:3";
-    };
-    mikrotik = {
-      IPv4 = "${wireguardIPv4Prefix}.4";
-      IPv6 = "${wireguardIPv6Prefix}:4";
-    };
-    poco = {
-      IPv4 = "${wireguardIPv4Prefix}.5";
-      IPv6 = "${wireguardIPv6Prefix}:5";
-    };
-    kpoxa = {
-      IPv4 = "${wireguardIPv4Prefix}.6";
-      IPv6 = "${wireguardIPv6Prefix}:6";
-    };
-    kpoxa2 = {
-      IPv4 = "${wireguardIPv4Prefix}.7";
-      IPv6 = "${wireguardIPv6Prefix}:7";
-    };
-    faysss = {
-      IPv4 = "${wireguardIPv4Prefix}.8";
-      IPv6 = "${wireguardIPv6Prefix}:8";
-    };
-    faysss2 = {
-      IPv4 = "${wireguardIPv4Prefix}.9";
-      IPv6 = "${wireguardIPv6Prefix}:9";
-    };
-    faysss3 = {
-      IPv4 = "${wireguardIPv4Prefix}.10";
-      IPv6 = "${wireguardIPv6Prefix}:a";
-    };
-    doste = {
-      IPv4 = "${wireguardIPv4Prefix}.11";
-      IPv6 = "${wireguardIPv6Prefix}:b";
-    };
-    dell = {
-      IPv4 = "${wireguardIPv4Prefix}.12";
-      IPv6 = "${wireguardIPv6Prefix}:c";
-    };
-    hypervisor-dns = {
-      IPv4 = "${wireguardIPv4Prefix}.13";
-      IPv6 = "${wireguardIPv6Prefix}:d";
-    };
-  };
-}
--- a/machines/NixOS-VPS/network.nix
+++ b/machines/NixOS-VPS/network.nix
@ -1,65 +0,0 @@
-{ config, ... }:
-let
-  inherit (import ./hardware/networks.nix) interfaces domain;
-in {
-  services.resolved.enable = true;
-  networking = {
-    enableIPv6 = true;
-    usePredictableInterfaceNames = true;
-    useDHCP = false;
-    dhcpcd.enable = false;
-    nftables.enable = false; # incompatible with tailscale and docker/podman
-    domain = domain;
-  };
-  systemd.network = with interfaces.main'; {
-    enable = true;
-    wait-online.ignoredInterfaces = [ "lo" ];
-    networks = {
-      "10-wan" = {
-        matchConfig.Name = ifname;
-        linkConfig.RequiredForOnline = "enslaved";
-        networkConfig.Bridge = bridgeName;
-        networkConfig.DHCP = "no";
-        networkConfig.LinkLocalAddressing = "no";
-        networkConfig.IPv6AcceptRA = false;
-      };
-      "20-${bridgeName}" = {
-        matchConfig.Name = bridgeName;
-        address = [
-          IPv4.address IPv6.address
-          "192.168.0.1/24" "fc00::1/64"
-        ];
-        linkConfig.RequiredForOnline = "routable";
-
-        domains = [ config.networking.domain ];
-        networkConfig = {
-          DHCP = "no";
-          IPForward = true;
-          IPv6PrivacyExtensions = true;
-          LinkLocalAddressing = "no";
-          IPv6AcceptRA = false;
-          DNS = IPv4.dns ++ IPv6.dns;
-        };
-        routes = [
-          {
-            routeConfig.Gateway = IPv4.gateway;
-            routeConfig.GatewayOnLink = true;
-          }
-          {
-            routeConfig.Gateway = IPv6.gateway;
-            routeConfig.GatewayOnLink = true;
-          }
-        ];
-      };
-    };
-    netdevs = {
-      "20-${bridgeName}" = {
-        netdevConfig = {
-          Kind = "bridge";
-          Name = bridgeName;
-          MACAddress = "e6:95:b5:a6:28:c0";
-        };
-      };
-    };
-  };
-}
--- a/machines/NixOS-VPS/nix.nix
+++ b/machines/NixOS-VPS/nix.nix
@ -1,39 +0,0 @@
-{ config, lib, inputs, ... }: {
-  nix = {
-    nixPath = lib.mkForce [ "self=/etc/self/compat" "nixpkgs=/etc/nixpkgs" ];
-    registry.self.flake = inputs.self;
-    registry.nixpkgs.flake = inputs.nixpkgs;
-    optimise.automatic = lib.mkDefault true;
-    extraOptions = ''
-      builders-use-substitutes = true
-      experimental-features = nix-command flakes
-      flake-registry = ${inputs.flake-registry}/flake-registry.json
-    '';
-    settings = {
-      auto-optimise-store = false;
-      require-sigs = true;
-      substituters = [
-        "https://cache.nixos.org"
-        "https://nix-community.cachix.org"
-        "https://nixpkgs-wayland.cachix.org"
-        "https://hyprland.cachix.org"
-        "https://ataraxiadev-foss.cachix.org"
-        "https://cache.ataraxiadev.com/ataraxiadev"
-        "https://numtide.cachix.org"
-      ];
-      trusted-public-keys = [
-        "cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY="
-        "nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs="
-        "nixpkgs-wayland.cachix.org-1:3lwxaILxMRkVhehr5StQprHdEo4IrE8sRho9R9HOLYA="
-        "hyprland.cachix.org-1:a7pgxzMz7+chwVL3/pzj6jIBMioiJM7ypFP8PwtkuGc="
-        "ataraxiadev-foss.cachix.org-1:ws/jmPRUF5R8TkirnV1b525lP9F/uTBsz2KraV61058="
-        "ataraxiadev:/V5bNjSzHVGx6r2XA2fjkgUYgqoz9VnrAHq45+2FJAs="
-        "numtide.cachix.org-1:2ps1kLBUWjxIneOy1Ik6cQjb41X0iXVXeHigGmycPPE="
-      ];
-      trusted-users = [ "root" config.mainuser "@wheel" ];
-      use-xdg-base-directories = true;
-    };
-  };
-  environment.etc.nixpkgs.source = inputs.nixpkgs;
-  environment.etc.self.source = inputs.self;
-}
--- a/machines/NixOS-VPS/services/backups.nix
+++ b/machines/NixOS-VPS/services/backups.nix
@ -1,26 +0,0 @@
-{ config, pkgs, lib, ... }: {
-  services.restic.backups.vps-data = {
-    initialize = true;
-    passwordFile = "/srv/restic-pass";
-    repositoryFile = "/srv/restic-repo";
-    paths = [
-      "/srv"
-      "/var/lib/acme"
-      # "/var/lib/headscale"
-      "/var/lib/redis-unbound"
-      "/var/lib/tailscale"
-      "/var/lib/tor"
-    ];
-    environmentFile = "${pkgs.writeText "restic.env" "GOMAXPROCS=1"}";
-    extraBackupArgs = [ "--no-scan" ];
-    timerConfig = {
-      OnCalendar = "daily";
-      Persistent = true;
-    };
-    pruneOpts = [
-      "--keep-daily 7"
-      "--keep-weekly 5"
-      "--keep-yearly 2"
-    ];
-  };
-}
--- a/machines/NixOS-VPS/services/dns.nix
+++ b/machines/NixOS-VPS/services/dns.nix
@ -1,228 +0,0 @@
-{ config, lib, pkgs, ... }:
-let
-  inherit (import ../hardware/networks.nix) interfaces;
-  wg = interfaces.wireguard0;
-  wgIfname = wg.ifname;
-  brIfname = interfaces.main'.bridgeName;
-in {
-  # For debugging purposes
-  environment.systemPackages = with pkgs; [ tcpdump dnsutils ];
-  services.resolved.extraConfig = ''
-    DNSStubListener=off
-  '';
-  systemd.network.networks."20-${brIfname}".networkConfig.DNS = lib.mkForce "127.0.0.1";
-  systemd.network.networks."90-${wgIfname}".networkConfig.DNS = lib.mkForce "127.0.0.1";
-
-  networking.firewall = {
-    interfaces.${wgIfname} = {
-      allowedTCPPorts = [
-        config.services.blocky.settings.ports.dns
-        config.services.grafana.settings.server.http_port
-      ];
-      allowedUDPPorts = [
-        config.services.blocky.settings.ports.dns
-      ];
-    };
-  };
-
-  # TODO: DoH (https://unbound.docs.nlnetlabs.nl/en/latest/topics/privacy/dns-over-https.html)
-  services.unbound = {
-    enable = true;
-    package = pkgs.unbound-full;
-    settings = {
-      server = {
-        root-hints = "${config.services.unbound.stateDir}/root.hints";
-        port = "553";
-        interface = [
-          "127.0.0.1" wg.IPv4.address
-          "::1" wg.IPv6.address
-        ];
-        access-control = [
-          "0.0.0.0/0 refuse"
-          "127.0.0.0/8 allow"
-          "${wg.IPv4.subnet} allow"
-          "::0/0 refuse"
-          "::1 allow"
-          "${wg.IPv4.subnet} allow"
-        ];
-        private-address = [
-          "127.0.0.0/8"
-          "${wg.IPv4.subnet}"
-          "::1"
-          "${wg.IPv4.subnet}"
-        ];
-	      hide-version = "yes";
-        aggressive-nsec = "yes";
-        cache-max-ttl = "86400";
-        cache-min-ttl = "600";
-        deny-any = "yes";
-        do-ip4 = "yes";
-        do-ip6 = "yes";
-        do-tcp = "yes";
-        do-udp = "yes";
-        harden-algo-downgrade = "yes";
-        harden-dnssec-stripped = "yes";
-        harden-glue = "yes";
-        harden-large-queries = "yes";
-        harden-referral-path = "yes";
-        harden-short-bufsize = "yes";
-        hide-identity = "yes";
-        minimal-responses = "yes";
-        msg-cache-size = "128m";
-        neg-cache-size = "4m";
-        prefer-ip6 = "no";
-        prefetch = "yes";
-        prefetch-key = "yes";
-        qname-minimisation = "yes";
-        rrset-cache-size = "256m";
-        rrset-roundrobin = "yes";
-        serve-expired = "yes";
-        so-rcvbuf = "4m";
-        so-reuseport = "yes";
-        so-sndbuf = "4m";
-        unwanted-reply-threshold = "100000";
-        use-caps-for-id = "yes";
-      };
-      cachedb = {
-        backend = "redis";
-        redis-server-host = "127.0.0.1";
-        redis-server-port = toString config.services.redis.servers.unbound.port;
-        redis-timeout = "300";
-        redis-expire-records = "no";
-      };
-    };
-  };
-  services.redis.vmOverCommit = true;
-  services.redis.servers.unbound = {
-    enable = true;
-    port = 7379;
-    databases = 1;
-    save = [ [ 3600 1 ] [ 1800 10 ] [ 600 100 ] ];
-    settings = {
-      maxmemory = "16mb";
-      protected-mode = true;
-      rdbchecksum = false;
-      stop-writes-on-bgsave-error = false;
-      tcp-keepalive = 300;
-      timeout = 0;
-    };
-  };
-  # TODO: maybe set internic ip address to hosts?
-  systemd.services.root-hints = {
-    script = ''
-      ${pkgs.wget}/bin/wget -O ${config.services.unbound.stateDir}/root.hints https://www.internic.net/domain/named.root
-    '';
-    serviceConfig.Type = "oneshot";
-    startAt = "1 0 1 */1 *";
-  };
-  # Blocky + prometheus + grafana
-  services.blocky = {
-    enable = true;
-    settings = {
-      upstream.default = [ "127.0.0.1:553" "[::1]:553" ];
-      upstreamTimeout = "10s";
-      bootstrapDns = [{
-        upstream = "https://dns.quad9.net/dns-query";
-        ips = [ "9.9.9.9" "149.112.112.112" ];
-      }];
-      blocking = {
-        blackLists = {
-          ads = [
-            "https://raw.githubusercontent.com/StevenBlack/hosts/master/hosts"
-            "https://github.com/RPiList/specials/raw/master/Blocklisten/malware"
-          ];
-          telemetry = [
-            "https://raw.githubusercontent.com/crazy-max/WindowsSpyBlocker/master/data/hosts/spy.txt"
-            "https://github.com/RPiList/specials/raw/master/Blocklisten/MS-Office-Telemetry"
-            "https://github.com/RPiList/specials/raw/master/Blocklisten/Win10Telemetry"
-          ];
-        };
-        clientGroupsBlock.default = [ "ads" "telemetry" ];
-      };
-      # disable caching (use unbound)
-      caching = {
-        minTime = -1;
-        maxTime = -1;
-        cacheTimeNegative = -1;
-        prefetching = false;
-      };
-      ports = {
-        dns = 53;
-        http = "127.0.0.1:4000";
-      };
-      prometheus.enable = true;
-      queryLog = {
-        type = "console";
-      };
-    };
-  };
-  services.prometheus = {
-    enable = true;
-    listenAddress = "127.0.0.1";
-    globalConfig.scrape_interval = "15s";
-    globalConfig.evaluation_interval = "15s";
-    scrapeConfigs = [{
-      job_name = "blocky";
-      static_configs = [{
-        targets = [ config.services.blocky.settings.ports.http ];
-      }];
-    }];
-  };
-  services.grafana = {
-    enable = true;
-    settings = {
-      analytics.reporting_enabled = false;
-      server = {
-        # domain = "${wg.IPv4.address}";
-        # http_addr = "${wg.IPv4.address}";
-        enable_gzip = true;
-        domain = "localhost";
-        http_addr = "127.0.0.1";
-        http_port = 3000;
-      };
-      # Grafana can be accessed only through wireguard, so it's secure enough
-      security = {
-        admin_user = "admin";
-        admin_password = "admin";
-        # admin_password = "$__file(/var/secrets/grafana)";
-      };
-      panels.disable_sanitize_html = true;
-    };
-    provision = {
-      enable = true;
-      datasources.settings = {
-        datasources = [{
-          name = "Prometheus";
-          type = "prometheus";
-          access = "proxy";
-          orgId = 1;
-          uid = "Y4SSG429DWCGDQ3R";
-          url = "http://127.0.0.1:${toString config.services.prometheus.port}";
-          isDefault = true;
-          jsonData = {
-            graphiteVersion = "1.1";
-            tlsAuth = false;
-            tlsAuthWithCACert = false;
-          };
-          version = 1;
-          editable = true;
-        }];
-      };
-      dashboards = {
-        settings = {
-          providers = [{
-            name = "My Dashboards";
-            options.path = "/etc/grafana-dashboards";
-          }];
-        };
-      };
-    };
-  };
-  environment.etc = {
-    "grafana-dashboards/blocky_rev3.json" = {
-      source = ../../../misc/grafana_blocky_rev3.json;
-      group = "grafana";
-      user = "grafana";
-    };
-  };
-}
--- a/machines/NixOS-VPS/services/tailscale.nix
+++ b/machines/NixOS-VPS/services/tailscale.nix
@ -1,21 +0,0 @@
-{ config, pkgs, lib, ... }:
-let
-  bridgeName = (import ../hardware/networks.nix).interfaces.main'.bridgeName;
-  tailscalePort = config.services.tailscale.port;
-  tailscaleIfname = config.services.tailscale.interfaceName;
-in {
-  networking.firewall.interfaces.${bridgeName}.allowedUDPPorts = [ tailscalePort ];
-  networking.firewall.trustedInterfaces = [ tailscaleIfname ];
-
-  systemd.network.networks."50-tailscale" = {
-    matchConfig.Name = tailscaleIfname;
-    linkConfig.Unmanaged = true;
-    linkConfig.ActivationPolicy = "manual";
-  };
-
-  services.tailscale = {
-    enable = true;
-    port = 18491;
-    useRoutingFeatures = "both";
-  };
-}
--- a/machines/NixOS-VPS/services/tor-bridge.nix
+++ b/machines/NixOS-VPS/services/tor-bridge.nix
@ -1,43 +0,0 @@
-{ config, pkgs, lib, ... }:
-let
-  inherit (import ../hardware/networks.nix) interfaces;
-  bridgeName = interfaces.main'.bridgeName;
-  obfs4Port = 18371;
-in {
-  networking.firewall.interfaces.${bridgeName} = {
-    allowedTCPPorts = [ obfs4Port ];
-  };
-
-  # We can get bridge cert from file: /var/lib/tor/pt_state/obfs4_bridgeline.txt
-  # Fingerprint can be obtained from tor.service logs
-  services.tor = {
-    enable = true;
-    enableGeoIP = true;
-    client.enable = false;
-    relay.enable = true;
-    relay.role = "private-bridge";
-    settings = {
-      BridgeDistribution = "none";
-      BridgeRelay = true;
-      ContactInfo = "admin@ataraxiadev.com";
-      ORPort = [ 17429 ];
-      ServerTransportListenAddr = "obfs4 0.0.0.0:${toString obfs4Port}";
-      Nickname = "Ataraxia";
-    };
-  };
-
-  services.networkd-dispatcher = {
-    enable = true;
-    rules."restart-tor" = {
-      onState = [ "routable" "off" ];
-      script = ''
-        #!${pkgs.runtimeShell}
-        if [[ $IFACE == "${bridgeName}" && $AdministrativeState == "configured" ]]; then
-          echo "Restarting Tor ..."
-          systemctl restart tor
-        fi
-        exit 0
-      '';
-    };
-  };
-}
--- a/machines/NixOS-VPS/services/wireguard.nix
+++ b/machines/NixOS-VPS/services/wireguard.nix
@ -1,128 +0,0 @@
-{ config, lib, pkgs, ... }:
-let
-  inherit (import ../hardware/networks.nix) interfaces wireguardPort wireguardPeers;
-  wireguardIFName = interfaces.wireguard0.ifname;
-in {
-  environment.systemPackages = [ pkgs.wireguard-tools ];
-
-  networking.firewall = {
-    allowedUDPPorts = [ wireguardPort ];
-    checkReversePath = lib.mkForce false;
-  };
-
-  boot.kernelModules = [ "wireguard" ];
-  systemd.network = {
-    wait-online.ignoredInterfaces = [ wireguardIFName ];
-
-    networks."90-${wireguardIFName}" = with interfaces.wireguard0; {
-      matchConfig.Name = wireguardIFName;
-      address = [
-        "${IPv4.address}/16"
-        "${IPv6.address}/64"
-      ];
-      DHCP = "no";
-      networkConfig = {
-        IPForward = true;
-        IPMasquerade = "both";
-        DNS = interfaces.main'.IPv4.dns ++ interfaces.main'.IPv6.dns;
-      };
-    };
-
-    netdevs."90-${wireguardIFName}" = {
-      netdevConfig = {
-        Name = wireguardIFName;
-        Kind = "wireguard";
-      };
-      wireguardConfig = {
-        PrivateKeyFile = "/srv/wireguard/private";
-        ListenPort = wireguardPort;
-      };
-      wireguardPeers = [
-        {
-          wireguardPeerConfig = with wireguardPeers.ataraxia; {
-            PublicKey = "qjkV4V0on7H3hXG7udKOv4Qu/IUBrsDcXNZt3MupP3o=";
-            PresharedKeyFile = "/srv/wireguard/ataraxia/preshared";
-            AllowedIPs = [ "${IPv4}/32" "${IPv6}/128" ];
-          };
-        }
-        {
-          wireguardPeerConfig = with wireguardPeers.hypervisor; {
-            PublicKey = "oKQ3HXZ1wwWyVgmA4RoCXscImohqB8hdMzP1FRArw0o=";
-            PresharedKeyFile = "/srv/wireguard/hypervisor/preshared";
-            AllowedIPs = [ "${IPv4}/32" "${IPv6}/128" ];
-          };
-        }
-        {
-          wireguardPeerConfig = with wireguardPeers.mikrotik; {
-            PublicKey = "amReLTZgu6pwtKCnk1q8EG5uZSgUNxRoh5m3w1D3rQo=";
-            PresharedKeyFile = "/srv/wireguard/mikrotik/preshared";
-            AllowedIPs = [ "${IPv4}/32" "${IPv6}/128" ];
-          };
-        }
-        {
-          wireguardPeerConfig = with wireguardPeers.poco; {
-            PublicKey = "ZbBJziuMjyHJNcgrLYIQtio7l3fEOJ4GXW4ST+N9V34=";
-            PresharedKeyFile = "/srv/wireguard/poco/preshared";
-            AllowedIPs = [ "${IPv4}/32" "${IPv6}/128" ];
-          };
-        }
-        {
-          wireguardPeerConfig = with wireguardPeers.kpoxa; {
-            PublicKey = "U1wtbS8/yQGkBnBQUZs7KxxmvAajKb9jh83dDd2LdgE=";
-            PresharedKeyFile = "/srv/wireguard/kpoxa/preshared";
-            AllowedIPs = [ "${IPv4}/32" "${IPv6}/128" ];
-          };
-        }
-        {
-          wireguardPeerConfig = with wireguardPeers.kpoxa2; {
-            PublicKey = "ghU3Puwz5PeXmnDlxyh+IeuwFK44V3rXlMiFGs5YnwI=";
-            PresharedKeyFile = "/srv/wireguard/kpoxa2/preshared";
-            AllowedIPs = [ "${IPv4}/32" "${IPv6}/128" ];
-          };
-        }
-        {
-          wireguardPeerConfig = with wireguardPeers.faysss; {
-            PublicKey = "JLvKyFwI7b9MsiZsnNAt3qs5ob18b3mrOZKR5HZCORY=";
-            PresharedKeyFile = "/srv/wireguard/faysss/preshared";
-            AllowedIPs = [ "${IPv4}/32" "${IPv6}/128" ];
-          };
-        }
-        {
-          wireguardPeerConfig = with wireguardPeers.faysss2; {
-            PublicKey = "S6k9l0K5/YmO5BPETQludC1CBHsKLsk9+n6kwSjx4n8=";
-            PresharedKeyFile = "/srv/wireguard/faysss2/preshared";
-            AllowedIPs = [ "${IPv4}/32" "${IPv6}/128" ];
-          };
-        }
-        {
-          wireguardPeerConfig = with wireguardPeers.faysss3; {
-            PublicKey = "ka42gE67gShu88Ko7iQ/pK8zusod6bNIrIN8fkxVkC4=";
-            PresharedKeyFile = "/srv/wireguard/faysss3/preshared";
-            AllowedIPs = [ "${IPv4}/32" "${IPv6}/128" ];
-          };
-        }
-        {
-          wireguardPeerConfig = with wireguardPeers.doste; {
-            PublicKey = "KVbEaO4DSpTb941zxOPQLWq2Glm9CDgK/9MwW95WuC0=";
-            PresharedKeyFile = "/srv/wireguard/doste/preshared";
-            AllowedIPs = [ "${IPv4}/32" "${IPv6}/128" ];
-          };
-        }
-        {
-          wireguardPeerConfig = with wireguardPeers.dell; {
-            PublicKey = "//ss9UEHRFEZL4LbZaA1HiRUrMrn97kc7CmblUORXTc=";
-            PresharedKeyFile = "/srv/wireguard/dell/preshared";
-            AllowedIPs = [ "${IPv4}/32" "${IPv6}/128" ];
-          };
-        }
-        {
-          wireguardPeerConfig = with wireguardPeers.hypervisor-dns; {
-            PublicKey = "x4uavQEEfhdqNC4FCOPfKlEDRJiwOz4dy2W1KhJtnwc=";
-            PresharedKeyFile = "/srv/wireguard/hypervisor-dns/preshared";
-            AllowedIPs = [ "${IPv4}/32" "${IPv6}/128" ];
-          };
-        }
-      ];
-    };
-  };
-}
--- a/machines/NixOS-VPS/services/xtls.nix
+++ b/machines/NixOS-VPS/services/xtls.nix
@ -1,45 +0,0 @@
-{ config, pkgs, lib, ... }: {
-  networking.firewall.allowedTCPPorts = [ 80 443 ];
-
-  virtualisation.oci-containers.containers = {
-    nextcloud = {
-      autoStart = true;
-      image = "docker.io/nextcloud:stable";
-      ports = [ "9765:80" ];
-      volumes = [
-        "/srv/nextcloud/html:/var/www/html"
-        "/srv/nextcloud/config:/var/www/html/config"
-        "/srv/nextcloud/data:/var/www/html/data"
-      ];
-    };
-    x-ui = {
-      autoStart = true;
-      image = "ghcr.io/mhsanaei/3x-ui:v1.7.8";
-      environment = {
-        XRAY_VMESS_AEAD_FORCED = "false";
-      };
-      extraOptions = [ "--network=host" ];
-      volumes = [
-        "/srv/x-ui/db:/etc/x-ui"
-        "/srv/x-ui/certs:/root/cert"
-      ];
-    };
-    nginx = {
-      autoStart = true;
-      image = "docker.io/nginx:latest";
-      extraOptions = [ "--network=host" ];
-      volumes = [
-        "/srv/nginx/certs:/etc/ssl/certs:ro"
-        "/srv/nginx/nginx.conf:/etc/nginx/nginx.conf:ro"
-      ];
-    };
-  };
-
-  systemd.tmpfiles.rules = [
-    "d /srv/x-ui/db 0755 root root -"
-    "d /srv/x-ui/certs 0755 root root -"
-    "d /srv/nextcloud/html 0755 33 33 -"
-    "d /srv/nextcloud/config 0755 33 33 -"
-    "d /srv/nextcloud/data 0755 33 33 -"
-  ];
-}
--- a/machines/NixOS-VPS/system
+++ b/machines/NixOS-VPS/system
@ -1 +0,0 @@
-x86_64-linux